Data breaches: Sur­rey Po­lice sec­ond worst

SUR­REY Po­lice staff com­mit­ted more than 200 data breaches dur­ing a fourand-a-half year pe­riod, mak­ing it the sec­ond worst force in the coun­try, new fig­ures re­veal.

A re­port pub­lished by the civil lib­er­ties cam­paign group Big Brother Watch last week re­veals the Sur­rey force recorded 202 data breaches be­tween June 2011 and De­cem­ber 2015.

Us­ing free­dom of in­for­ma­tion leg­is­la­tion, each force in the coun­try was asked to re­veal the num­ber of times po­lice or staff had been con­victed, dismissed or disciplined in­ter­nally for a data breach.

The Data Protection Act 1998 states that per­sonal data should only be ac­cessed for le­git­i­mate pur­poses and must only ever be used for spec­i­fied and law­ful rea­sons, and should not be kept longer than nec­es­sary.

Some of the offences com­mit­ted by of­fi­cers or civil­ian staff at Sur­rey Po­lice in­cluded in­ap­pro­pri­ately shar­ing in­for­ma­tion with a third party, ac­cess­ing po­lice sys­tems with­out a polic­ing pur­pose, im­proper dis­clo­sure of in­for­ma­tion and us­ing po­lice sys­tems un­der an­other per­son’s de­tails.

At Sur­rey Po­lice, 86 data breaches led to ac­tion by man­agers, 51 breaches led to ver­bal and writ­ten warn­ings, and 29 led to dis­missals.

No ac­tion was taken fol­low­ing 16 breaches.

Nine breaches led to a res­ig­na­tion and two were fol­lowed by re­tire­ment.

Four in­ves­ti­ga­tions are on­go­ing and three in­ci­dents were not proven.

In­for­ma­tion was not pro­vided on two in­ci­dents.

Only West Mid­lands Po­lice, with 488 breaches, had a worse record.

In com­par­i­son, neigh­bour­ing Sus­sex Po­lice recorded only 63 breaches.

The In­ves­ti­ga­tory Powers Bill is cur­rently go­ing through the House of Lords to make pro­vi­sion for the in­ter­cep­tion of the pub­lic’s com­mu­ni­ca­tions in re­la­tion to na­tional se­cu­rity.

The Bill is in­tended to cre­ate a com­pre­hen­sive frame­work that gov­erns the way po­lice, se­cu­rity and in­tel­li­gence agen­cies in­ter­cept, store and use per­sonal data.

Re­nate Sam­son, chief ex­ec­u­tive of Big Brother Watch, said: “We trust the po­lice to keep us safe. In the 21st cen­tury that is as much about keep­ing our data se­cure as pro­tect­ing us on the streets.

“The rev­e­la­tion that the po­lice are still com­mit­ting 10 data breaches a week shows that work still needs to be done be­fore we can be sure our per­sonal in­for­ma­tion is safe in their hands.

“The gov­ern­ment are about to give law en­force­ment ac­cess to the de­tails of all the web­sites each and ev­ery one of us look at.

“In light of our find­ings ques­tions must be asked about whether more ac­cess will make for bet­ter polic­ing, or only increase the op­por­tu­ni­ties for mis­use.”

Big Brother Watch rec­om­mended cus­to­dial sen­tences for se­ri­ous breaches, manda­tory re­port­ing of a breach that con­cerns a mem­ber of the pub­lic, removal of in­ter­net con­nec­tion records from the In­ves­ti­ga­tory Powers Bill and adop­tion of the Gen­eral Data Protection Reg­u­la­tions.

A Sur­rey Po­lice spokesman said: “A proac­tive vet­ting au­dit was car­ried out within the time­frame of the Big Brother Watch re­port, which un­cov­ered a num­ber of his­toric computer mis­use cases. Af­ter that trawl was com­pleted, the num­ber of computer mis­use cases re­turned to a nor­mal level.

“In ad­di­tion, the way the force records data protection breaches means that if one in­di­vid­ual com­mit­ted six data protection offences, this would be recorded as six breaches. The vast ma­jor­ity of Sur­rey of­fi­cers and staff be­have in an hon­est and pro­fes­sional man­ner and are en­cour­aged to raise any con­cerns so prob­lems can be iden­ti­fied and ad­dressed at an early stage.”